← Back to team overview

openstack team mailing list archive

Re: Comparing OpenStack to OpenNebula

 

If you set:

enable_new_services=False

in your nova.conf, all new services will be "disabled" by default and the
scheduler won't start scheduling instances until you explicitly enable them.

Vish

On Feb 25, 2013, at 2:46 PM, Shawn Starr <shawn.starr@xxxxxxxxxx> wrote:

> On Monday, February 25, 2013 10:34:11 PM Jeremy Stanley wrote:
>> On 2013-02-25 06:20 -0500 (-0500), Shawn Starr wrote:
>> [...]
>> 
>>> I see no options on how to control what nova-compute nodes can be
>>> 'provisioned' into an OpenStack cloud, I'd consider that a
>>> security risk (potentially) if any computer could just register to
>>> become a nova-compute?
>> 
>> [...]
>> 
>> On 2013-02-25 11:42:47 -0500 (-0500), Shawn Starr wrote:
>>> I was hoping in future we could have a mechanism via mac address
>>> to restrict which hypervisor/nova-computes are able to join the
>>> cluster.
>> 
>> [...]
>> 
>> It bears mention that restricting by MAC is fairly pointless as
>> security protections go. There are a number of tricks an adversary
>> can play to rewrite the system's MAC address or otherwise
>> impersonate other systems at layer 2. Even filtering by IP address
>> doesn't provide you much protection if there are malicious actors
>> within your local broadcast domain, but at least there disabling
>> learning on switches or implementing 802.1x can buy some relief.
>> 
>> Extending the use of MAC address references from the local broadcast
>> domain where they're intended to be relevant up into the application
>> layer (possibly across multiple routed hops well away from their
>> original domain of control) makes them even less effective of a
>> system identifier from a security perspective.
> 
> Hi Jeremy,
> 
> Of course, one can modify/spoof the MAC address and or assign themselves an 
> IP. It is more so that new machines aren't immediately added to the cluster 
> and start launching VM instances without explicitly being enabled to do so. In 
> this case, I am not concerned about impersonators on the network trying to 
> join the cluster.
> 
> Thanks,
> Shawn
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp



References